enlightenment/efl
enlightenment
/
efl
8
7
Fork 15
Code Issues 12 Pull Requests 2 Projects Releases Wiki Activity

evas: Replace EINA_LIST_FOREACH_SAFE to while statement. 

Clipees can be cleared before the loop is finished because
evas_object_clip_unset calls smart function of clip_unset.
So, if we use EINA_LIST_FOREACH_SAFE, invalid next list pointer
can be kept and read after obj->clip.clipees is freed.

Thanks to Davide Andreoli for reporting.

@fix
This commit is contained in:
WooHyun Jung 2014-03-11 16:34:56 +09:00
parent 1b2f732d2a
commit 2791c3dc06
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/lib/evas/canvas/evas_object_main.c
View File

@ -621,7 +621,6 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED)
return;
MAGIC_CHECK_END();
Evas_Object_Protected_Data *obj = _pd;
Evas_Object_Protected_Data *tmp;
Evas_Object *proxy;
Eina_List *l, *l2;
@ -654,8 +653,14 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED)
goto end;
}
evas_object_grabs_cleanup(eo_obj, obj);
EINA_LIST_FOREACH_SAFE(obj->clip.clipees, l, l2, tmp)
evas_object_clip_unset(tmp->object);
/* "while" should be used for null check of obj->clip.clipees,
because evas_objct_clip_unset can set null to obj->clip.clipees */
while (obj->clip.clipees)
{
Evas_Object_Protected_Data *tmp;
tmp = eina_list_data_get(obj->clip.clipees);
evas_object_clip_unset(tmp->object);
}
EINA_LIST_FOREACH_SAFE(obj->proxy->proxies, l, l2, proxy)
{
if (eo_isa(proxy, EVAS_OBJ_IMAGE_CLASS))